Hi, first thanks tom for this great firewall. I have read a little bit about "port knocking", it is a method to establish a connection to a networked computer that has no open ports. Before a connection is established, ports are opened using a port knock sequence, which is a series of connection attempts to closed ports. Has someone already done this and can tell me about his expirience/ used daemon :-). Thanks in advance.
> Hi, > first thanks tom for this great firewall. > > I have read a little bit about "port knocking", it is a method to > establish > a connection to a networked computer that has no open ports. > Before a connection is established, ports are opened using a port knock > sequence, which is a series of connection attempts to closed ports. > > Has someone already done this and can tell me about his expirience/ used > daemon :-).I''m using knockd from http://www.zeroflux.org/knock/ A config like this works fine with shorewall: [options] UseSyslog [opencloseSSH] sequence = 111:tcp,222:tcp,333:tcp seq_timeout = 15 tcpflags = syn,ack start_command = /sbin/iptables -I net2fw 2 -s %IP% -p tcp --dport ssh -j ACCEPT cmd_timeout = 10 stop_command = /sbin/iptables -D net2fw -s %IP% -p tcp --dport ssh -j ACCEPT
Simon Matter wrote:>>Hi, >>first thanks tom for this great firewall. >> >>I have read a little bit about "port knocking", it is a method to >>establish >>a connection to a networked computer that has no open ports. >>Before a connection is established, ports are opened using a port knock >>sequence, which is a series of connection attempts to closed ports. >> >>Has someone already done this and can tell me about his expirience/ used >>daemon :-). >> >> > >I''m using knockd from http://www.zeroflux.org/knock/ > >Thats really cool, hadn''t seen that one before. What do you use as a knocker client? I suppose you could just use SSH and specify the port on the command and Ctrl-C out of it??? -- Matt Burleigh Senior Systems Engineer Enterprise Integration, Inc. eiisolutions.com 703.236.0790
Simon Matter wrote:>>Hi, >>first thanks tom for this great firewall. >> >>I have read a little bit about "port knocking", it is a method to >>establish >>a connection to a networked computer that has no open ports. >>Before a connection is established, ports are opened using a port knock >>sequence, which is a series of connection attempts to closed ports. >> >>Has someone already done this and can tell me about his expirience/ used >>daemon :-). >> >> > >I''m using knockd from http://www.zeroflux.org/knock/ > >A config like this works fine with shorewall: > >[options] > UseSyslog > >[opencloseSSH] > sequence = 111:tcp,222:tcp,333:tcp > seq_timeout = 15 > tcpflags = syn,ack > start_command = /sbin/iptables -I net2fw 2 -s %IP% -p tcp --dport >ssh -j ACCEPT > cmd_timeout = 10 > stop_command = /sbin/iptables -D net2fw -s %IP% -p tcp --dport >ssh -j ACCEPT > >_______________________________________________ >Shorewall-users mailing list >Post: Shorewall-users@lists.shorewall.net >Subscribe/Unsubscribe: https://lists.shorewall.net/mailman/listinfo/shorewall-users >Support: http://www.shorewall.net/support.htm >FAQ: http://www.shorewall.net/FAQ.htm > >Thanks, i think thats exactly what i need. I will try it. You guys are really fast :-). Thanks, again.
> Simon Matter wrote: > >>>Hi, >>>first thanks tom for this great firewall. >>> >>>I have read a little bit about "port knocking", it is a method to >>>establish >>>a connection to a networked computer that has no open ports. >>>Before a connection is established, ports are opened using a port knock >>>sequence, which is a series of connection attempts to closed ports. >>> >>>Has someone already done this and can tell me about his expirience/ used >>>daemon :-). >>> >>> >> >>I''m using knockd from http://www.zeroflux.org/knock/ >> >> > Thats really cool, hadn''t seen that one before. What do you use as a > knocker client? I suppose you could just use SSH and specify the port on > the command and Ctrl-C out of it???I''m using telnet for now. I think even bash2 should work or netcat.> > -- > Matt Burleigh > Senior Systems Engineer > Enterprise Integration, Inc. > eiisolutions.com > 703.236.0790 > > _______________________________________________ > Shorewall-users mailing list > Post: Shorewall-users@lists.shorewall.net > Subscribe/Unsubscribe: > https://lists.shorewall.net/mailman/listinfo/shorewall-users > Support: http://www.shorewall.net/support.htm > FAQ: http://www.shorewall.net/FAQ.htm > >
Stefan Drees wrote:> Simon Matter wrote: > >>> Hi, >>> first thanks tom for this great firewall. >>> >>> I have read a little bit about "port knocking", it is a method to >>> establish >>> a connection to a networked computer that has no open ports. >>> Before a connection is established, ports are opened using a port knock >>> sequence, which is a series of connection attempts to closed ports. >>> >>> Has someone already done this and can tell me about his expirience/ >>> used >>> daemon :-). >>> >> >> >> I''m using knockd from http://www.zeroflux.org/knock/ >> >> A config like this works fine with shorewall: >> >> [options] >> UseSyslog >> >> [opencloseSSH] >> sequence = 111:tcp,222:tcp,333:tcp >> seq_timeout = 15 >> tcpflags = syn,ack >> start_command = /sbin/iptables -I net2fw 2 -s %IP% -p tcp --dport >> ssh -j ACCEPT >> cmd_timeout = 10 >> stop_command = /sbin/iptables -D net2fw -s %IP% -p tcp --dport >> ssh -j ACCEPT >> >> _______________________________________________ >> Shorewall-users mailing list >> Post: Shorewall-users@lists.shorewall.net >> Subscribe/Unsubscribe: >> https://lists.shorewall.net/mailman/listinfo/shorewall-users >> Support: http://www.shorewall.net/support.htm >> FAQ: http://www.shorewall.net/FAQ.htm >> >> > Thanks, i think thats exactly what i need. I will try it. > You guys are really fast :-). Thanks, again. > > _______________________________________________ > Shorewall-users mailing list > Post: Shorewall-users@lists.shorewall.net > Subscribe/Unsubscribe: > https://lists.shorewall.net/mailman/listinfo/shorewall-users > Support: http://www.shorewall.net/support.htm > FAQ: http://www.shorewall.net/FAQ.htmI tried to compile knockd but it failed, with the following error: ..... src/knockd.c:696: warning: ANSI C forbids braced-groups within expressions gcc -g -O2 -g -Wall -pedantic -fno-exceptions -D_GNU_SOURCE -I. -o src/list.o -c src/list.c gcc ./src/knockd.o ./src/list.o -o knockd -lpcap ./src/knockd.o: In function `main'': /usr/src/knockd-0.3/src/knockd.c:182: undefined reference to `pcap_datalink_val_to_name'' collect2: ld returned 1 exit status make: *** [knockd] Error 1 I´m using debian 3.0r1. Can someone help? Thanks in advance.
Stefan Drees wrote:> > I tried to compile knockd but it failed, with the following error: > ..... > src/knockd.c:696: warning: ANSI C forbids braced-groups within expressions > gcc -g -O2 -g -Wall -pedantic -fno-exceptions -D_GNU_SOURCE -I. -o > src/list.o -c src/list.c > gcc ./src/knockd.o ./src/list.o -o knockd -lpcap > ./src/knockd.o: In function `main'': > /usr/src/knockd-0.3/src/knockd.c:182: undefined reference to > `pcap_datalink_val_to_name'' > collect2: ld returned 1 exit status > make: *** [knockd] Error 1 > > > I´m using debian 3.0r1. Can someone help? >apt-get install knockd :-) -Tom -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net
> Stefan Drees wrote: > >> >> I tried to compile knockd but it failed, with the following error: >> ..... >> src/knockd.c:696: warning: ANSI C forbids braced-groups within >> expressions >> gcc -g -O2 -g -Wall -pedantic -fno-exceptions -D_GNU_SOURCE -I. -o >> src/list.o -c src/list.c >> gcc ./src/knockd.o ./src/list.o -o knockd -lpcap >> ./src/knockd.o: In function `main'': >> /usr/src/knockd-0.3/src/knockd.c:182: undefined reference to >> `pcap_datalink_val_to_name'' >> collect2: ld returned 1 exit status >> make: *** [knockd] Error 1 >> >> >> I´m using debian 3.0r1. Can someone help? >> > > apt-get install knockd :-)I''m sure that may work. But, as a maintainer of the knockd rpm, I remember that there are two issues with knockd: 1) it needs a newer libpcap than what is installed on many stable systems. I have therefore modified knockd to remove that dependency. --- knock-0.3/src/knockd.c.orig Fri May 7 00:56:03 2004 +++ knock-0.3/src/knockd.c Wed May 19 09:29:28 2004 @@ -179,8 +179,7 @@ dprint("ppp interface detected (linux \"cooked\" encapsulation)\n"); break; default: - fprintf(stderr, "error: unsupported link-layer type: %s\n", - pcap_datalink_val_to_name(lltype)); + fprintf(stderr, "error: unsupported link-layer type: %d\n"); cleanup(1); break; } 2) the code doesn''t compile with newer gcc''s. I think there are some small syntax problems with the code but I''m not an expert here. If anyone has created a patch I''ll be happy to include it into my rpm distribution and I''m sure the author of knockd will also be happy. Simon
Simon Matter wrote:>>Stefan Drees wrote: >> >> >>>I tried to compile knockd but it failed, with the following error: >>>..... >>>src/knockd.c:696: warning: ANSI C forbids braced-groups within >>>expressions >>>gcc -g -O2 -g -Wall -pedantic -fno-exceptions -D_GNU_SOURCE -I. -o >>>src/list.o -c src/list.c >>>gcc ./src/knockd.o ./src/list.o -o knockd -lpcap >>>./src/knockd.o: In function `main'': >>>/usr/src/knockd-0.3/src/knockd.c:182: undefined reference to >>>`pcap_datalink_val_to_name'' >>>collect2: ld returned 1 exit status >>>make: *** [knockd] Error 1 >>> >>> >>>I´m using debian 3.0r1. Can someone help? >>> >> >>apt-get install knockd :-) > > > I''m sure that may work. But, as a maintainer of the knockd rpm, I remember > that there are two issues with knockd: > 1) it needs a newer libpcap than what is installed on many stable systems. > I have therefore modified knockd to remove that dependency. > > --- knock-0.3/src/knockd.c.orig Fri May 7 00:56:03 2004 > +++ knock-0.3/src/knockd.c Wed May 19 09:29:28 2004 > @@ -179,8 +179,7 @@ > dprint("ppp interface detected (linux \"cooked\" > encapsulation)\n"); > break; > default: > - fprintf(stderr, "error: unsupported link-layer > type: %s\n", > - pcap_datalink_val_to_name(lltype)); > + fprintf(stderr, "error: unsupported link-layer > type: %d\n");Don''t you rather want the following? fprintf(stderr, "error: unsupported link-layer type: %d\n", lltype); -------- -Tom -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net
>> I''m sure that may work. But, as a maintainer of the knockd rpm, I >> remember >> that there are two issues with knockd: >> 1) it needs a newer libpcap than what is installed on many stable >> systems. >> I have therefore modified knockd to remove that dependency. >> >> --- knock-0.3/src/knockd.c.orig Fri May 7 00:56:03 2004 >> +++ knock-0.3/src/knockd.c Wed May 19 09:29:28 2004 >> @@ -179,8 +179,7 @@ >> dprint("ppp interface detected (linux \"cooked\" >> encapsulation)\n"); >> break; >> default: >> - fprintf(stderr, "error: unsupported link-layer >> type: %s\n", >> - >> pcap_datalink_val_to_name(lltype)); >> + fprintf(stderr, "error: unsupported link-layer >> type: %d\n"); > > Don''t you rather want the following? > > fprintf(stderr, "error: unsupported link-layer type: %d\n", lltype);Thanks Tom, I fixed it in the rpm. I have also fixed the build problem on Fedora Core. The same applies to the cutter package, which now also builds on Fedora Core. Simon
Tom Eastep wrote:> Simon Matter wrote: > >>> Stefan Drees wrote: >>> >>> >>>> I tried to compile knockd but it failed, with the following error: >>>> ..... >>>> src/knockd.c:696: warning: ANSI C forbids braced-groups within >>>> expressions >>>> gcc -g -O2 -g -Wall -pedantic -fno-exceptions -D_GNU_SOURCE -I. -o >>>> src/list.o -c src/list.c >>>> gcc ./src/knockd.o ./src/list.o -o knockd -lpcap >>>> ./src/knockd.o: In function `main'': >>>> /usr/src/knockd-0.3/src/knockd.c:182: undefined reference to >>>> `pcap_datalink_val_to_name'' >>>> collect2: ld returned 1 exit status >>>> make: *** [knockd] Error 1 >>>> >>>> >>>> I´m using debian 3.0r1. Can someone help? >>>> >>> >>> apt-get install knockd :-) >> >> >> >> I''m sure that may work. But, as a maintainer of the knockd rpm, I >> remember >> that there are two issues with knockd: >> 1) it needs a newer libpcap than what is installed on many stable >> systems. >> I have therefore modified knockd to remove that dependency. >> >> --- knock-0.3/src/knockd.c.orig Fri May 7 00:56:03 2004 >> +++ knock-0.3/src/knockd.c Wed May 19 09:29:28 2004 >> @@ -179,8 +179,7 @@ >> dprint("ppp interface detected (linux \"cooked\" >> encapsulation)\n"); >> break; >> default: >> - fprintf(stderr, "error: unsupported link-layer >> type: %s\n", >> - >> pcap_datalink_val_to_name(lltype)); >> + fprintf(stderr, "error: unsupported link-layer >> type: %d\n"); > > > Don''t you rather want the following? > > fprintf(stderr, "error: unsupported link-layer type: %d\n", lltype); > -------- > > -TomThanks, works fine.